No quick patch to kill Duqu, turn back clock to when viruses weren't smarter than your apps

Most blame governments for Stuxnet; is Duqu the same or a huge step forward for digital crooks?

By  

Only one unencrypted file, the load-point driver, is ever written to the disk during the entire process. Duqu was clearly designed to minimize detectable footprints left on the disk. – Symantec, "W32.Duqu: The precursor to the next Stuxnet" (PDF)

Not everyone believes in Son of Stuxnet

Not everyone is convinced Duqu is such a big deal. Taking advantage of a flaw in the Windows kernel is a "pretty common" technique for malware of all kinds, according to Andrew Storms, director of security operations at nCircle Security, as quoted in Infoworld.

Evidence that Stuxnet and Duqu are directly related is "circumstantial at best" Jon Ramsey, CTO of Dell SecureWorks told Computerworld.

Both viruses are sophisticated in the way they work, but all the similarities are in one module from each – the kernel driver that allows it to inject itself into a specific Windows process, Ramsey said.

Other techniques, such as hiding encrypted DLLs in files using a .PNF extension, which is what Windows uses to store precompiled setup information; fake digital signatures, rootkits to hide files and other techniques used by both Stuxnet and Duqu are also used by many other malware writers for the same purposes, Ramsey said.

Having to use a crutch like that to get past routine security – and having to rely on Word documents for transport – may mean Duqu is not only not related to Stuxnet, but that it's a lot less sophisticated than many seem to think, Storms told Infoworld.

Maybe, but I doubt it.

Too smart to be 'just a virus'

Storms is right that a lot of viruses exploit Windows flaws.

Usually they exploit known flaws and count on users not having installed all the patches they should.

Most virus writers don't discover new flaws in the kernel and use them as an entry point for a colony of malware that communicates sotto voce among themselves and hand responsibility for communicating with the home office to versions of themselves living in Administration rather than R&D.

Photo Credit: 

Symantec: Duqu: the precursor to the next Stuxnet, flowchart of Duqu installation procedure.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question